Role in IT decision-making process:Align Business & IT GoalsCreate IT StrategyDetermine IT NeedsManage Vendor RelationshipsEvaluate/Specify Brands or VendorsOther RoleAuthorize PurchasesNot Involved

Work Phone:

Company:

Company Size:

Industry:

Street Address

City:

Zip/postal code

State/Province:

Country:

Occasionally, we send subscribers special offers from select partners. Would you like to receive these special partner offers via e-mail?YesNo

Your registration with Eweek will include the following free email newsletter(s):News & Views

By submitting your wireless number, you agree that eWEEK, its related properties, and vendor partners providing content you view may contact you using contact center technology. Your consent is not required to view content or use site features.

By clicking on the "Register" button below, I agree that I have carefully read the Terms of Service and the Privacy Policy and I agree to be legally bound by all such terms.

WEBINAR:On-Demand

Hewlett Packard Enterprise reached a major milestone this week, announcing on April 13 that its Format-Preserving Encryption (FPE) technology is now Federal Information Processing Standards validated. Terence Spies, chief technologist at HPE Security, said getting its FPE technology FIPS validated has been a long process.

FIPS validation is important because it enables a technology to be used within government agencies and industries that require validation before technologies can be widely used. The FIPS standards are maintained by the U.S. National Institute of Standards and Technology (NIST).

The basic idea behind FPE is to use a cipher like Advanced Encryption Standard (AES) that produces output that has the same format as the input, according to Spies. So, for example, if a credit card number is put into an FPE system, a credit card number can be taken out, but with selected digits randomized. FPE uses a sophisticated approach that uses 10 AES encryption functions. Using 10 AES functions provides a strong level of encryption that outputs data of the same length as the original data, he said.

Further reading

A common approach for online data is for organizations to use a simple mathematical hashing function to effectively hide data from potential attackers. FPE is more robust than basic hashing approaches, Spies said.

"FPE is a one-to-one algorithm, so there are no collisions and the underlying database is very clean," he said. "With FPE, it's also easy for enterprises to keep data in the cypher text format."

Spies added that HPE wants enterprises to encrypt data with FPE and then use the corresponding cypher text, as if they were using the original data itself. So, for example, if a credit card number was encrypted with FPE, the FPE cypher text could then be used directly, without the need to store the data in an unencrypted format.

"With FPE being FIPS certified now, enterprises can go back to an auditor and say the cryptography has been validated by NIST," he said.

FPE is used by retailers to help keep payment data secure, according Spies. It can be installed in a point-of-sale (PoS) terminal and is also used by HPE SecureData customers to keep personally identifiable information (PII) secure for web transactions. Customers will, however, likely require an end-to-end HPE SecureData setup to fully benefit from FPE.

"There is nothing truly interoperable today, since in addition to FPE, there is also key management and the associated protocols on top," Spies said. "There isn't really a complete end-to-end standard for all the pieces."

By submitting your information, you agree that eweek.com may send you eWEEK offers via email, phone and text message, as well as email offers about other products and services that eWEEK believes may be of interest to you. eWEEK will process your information in accordance with the Quinstreet Privacy Policy.

We ran into a problem

We already have your email address on file. Please use the "Forgot your password?" link to create a password, validate your email and login.